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Abstract — This paper considers the problem of perfectly secure 
communication on a modified version of Wyner's wiretap channel 
II where both the main and wiretapper's channels have some 
erasures. A secret message is to be encoded into n channel 
symbols and transmitted. The main channel is such that the 
legitimate receiver receives the transmitted codeword with exactly 
n — v erasures, where the positions of the erasures are random. 
Additionally, an eavesdropper (wire-tapper) is able to observe the 
transmitted codeword with n — fj, erasures in a similar fashion. 
This paper studies the maximum achievable information rate 
with perfect secrecy on this channel and gives a coding scheme 
using nested codes that achieves the secrecy capacity. 

I. Introduction 

The wire-tap channel was introduced by Wyner [1], where 
a transmitter (Alice) wants to convey a secret message to 
a legitimate receiver (Bob) through a discrete memoryless 
channel (DMC). The message must be kept secret from an 
eavesdropper (Eve) who has a degraded version of the legiti- 
mate receiver's observation. Wyner has studied the information 
rates at which complete secrecy is possible in this system. 
This work was furthered by that of Csiszar and Korner |2), 
who generalized the secrecy concept to general wire-tap chan- 
nels, where the two receivers have noisy observations of the 
same channel transmission. They have studied the maximum 
possible secret information rate for this generalized wire-tap 
channel. 

The wire-tap channel II was studied in [3|, where the 
transmission length is fixed to n. Alice must convey a k 
symbol message to Bob by transmitting n symbols over the 
channel. Bob receives these symbols without noise and Eve 
can observe a fixed number, \i, of the transmitted symbols. 
Ozarow and Wyner provided a stochastic coding scheme based 
on cosets of linear codes for this channel. This scheme ensured 
successful decoding by Bob while Eve is kept completely 
ignorant as long as a good linear code is chosen and p is 
not too large. 

In this paper, we study a modified version of wire-tap 
channel II where the main channel can also have a fixed 
number of erasures, n — v. In other words, Bob can observe 
any v of the n channel symbols, and Eve can observe any fi 
of the channel symbols. Alice must devise a coding scheme 
that guarantees successful decoding by Bob while Eve can 
obtain no information about the message. We prove that the 
maximum amount of secret information that can be conveyed 
in this channel is v — fi, assuming v > fi. We then show how a 



nested coding scheme ([4|) can be used to achieve the secrecy 
capacity. 

A simple solution to combat erasures on the main channel 
is to use the existing Ozarow-Wyner coding scheme [3) 
(described shortly) , with an outer code for error correction. 
We propose a coding scheme based on Ozarow-Wyner's coset 
coding which is equivalent to adding an outer code. We use 
two codes C, C* that have only the zero codeword as the 
common element. We encode the secret message using C and 
encode a random vector with C*, and transmit the sum of the 
two resultant codewords. This formulation is easier to analyze 
compared to the cascaded encoder formulation since the inner 
and outer codes are combined into a single encoder. Also, 
it can be noted that when C + C* and C* are MDS codes, 
then the information rate equals the secrecy capacity of this 
channel. When v—fj, = 1, this coding scheme with MDS codes 
becomes identical to the coding scheme used by Shamir O 
for the (k, n)-threshold secret sharing scheme. 

To study the performance of our coding technique, we use 
the Dimension-Length Profile (DLP) property of linear block 
codes. The basic idea behind the DLP and its relation to wire- 
tap channels was first published by Wei [6]. The DLP property 
and its related LDP property were rigorously defined and 
studied by Forney [7|. Mitrpant, et al. [8| studied the secrecy 
capacity of wiretap channel II under a special case where some 
of the information bits are revealed. Their analysis uses the 
DLP properties of linear block codes and their expressions for 
secrecy capacity are similar to those in our paper. 

A practical example of this modified wire-tap channel II 
problem is in distributed storage depicted in figure Q] A user 
wants to store a secret information in n data nodes. These data 
nodes are susceptible to random failure. We want to design a 
system that can reconstruct the secret data from any v of the 
storage nodes. In addition, some of these storage nodes can 
also be read by an adversary (eavesdropper). The adversary 
can access only a limited number of these storage nodes (due 
to time, memory, geography or other constraints). The user 
wishes to store information in such a way that the adversary 
can obtain absolutely no information about the secret message 
even if he can read any /i of the storage nodes. 

The outline of the paper is as follows. In section [TT] we 
formally state our problem and give an overview of our 
notation. In the section Hill we state the Ozarow-Wyner so- 
lution for the wire-tap channel II and perform an analysis 
using dimension/length profile (DLP) of linear block codes. 
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Fig. 1. Secure distributed storage system with an eavesdropper 

In section [IV] we present a way to use nested codes, i.e. a 
set of two codes where one of the codes is a subcode of the 
other, on our modified wire-tap channel II and analyze the 
performance using the DLP of the underlying codes. 

II. Problem Statement and Formulation 

Let F be a finite field of size q. All the vectors in this 
discussion will be drawn from vector spaces on F and the 
logarithms are taken to the base q. The channel under consid- 
eration is depicted in fig. [2] Alice has a uniformly distributed 
fc-symbol random message S that must be conveyed to Bob by 
transmitting a n-symbol vector X over the channel. The main 
channel is such that a fixed number, n—v, of erasures occur in 
Bob's received codeword, Y. The positions of these erasures 
are randomly chosen. In addition, there is an eavesdropper 
who has the ability to tap into any fj, of the n transmitted 
symbols. Alice knows the values of v and \i. She does not 
know anything else about the erasures on the main channel 
or the symbols being tapped by Eve. Her task is to choose 
an encoding scheme which ensures that Bob can completely 
decode the message while Eve has complete equivocation over 
the message in spite of knowing the encoding procedure and 
the fi symbols revealed to her. A special case of the above 
problem when v = n is the case considered by Ozarow-Wyner 

First, we define some notation for the analysis of conditional 
entropy under erasure. Let / = {1, 2,3, ... ,n} be the index 
set for the elements in an n-symbol vector. Let J C I be the 
index set of the revealed positions. Given a vector X g F™, by 
Xj, we denote the vector in ¥' J ' which is formed by taking 
the elements of X indexed by the elements of the set J. In 
particular, note that (Xj, J) completely describes the result of 
erasing the symbols of X in positions I\J. 

Let M C I, W C I be the index set of the revealed symbols 
of the main channel and the wire-tapper's channel respectively. 



Fig. 2. Wiretap Channel II with erasures on the main channel 

Our objective is to devise a coding scheme such that, 

H{S\X M ) = 0, VAf C /, \M\ = v (1) 

H(S\X W ) = H(S), YW cI,\W\= n (2) 

where all the entropies are computed using base-g logarithms. 
The above conditions can be met only if \i < v — k. This is 
because the following necessary conditions must hold. 

1) for fx > v, and M C W, X — > X w —> X M is a Markov 
chain and by data processing inequality 

H{S\X M ) > H{S\X W ) 

Hence, conditions (fl} and (fJJ don't hold for this case. 

2) for n<v and W C M, we have the following necessary 
condition for achieving (HJ and (f2| 

k = H(S\X W )-H(S\X M ) 

= H(S\Xw) — H (S\Xw, X M \ W ) 
= I(S; X M \ W \X W ) 

< H(X M \ W \X W ) 

< H(X M \ W ) 

< v — fl 

III. Ozarow-Wyner Coding for Wire-tap II 

In Ozarow-Wyner coding for the wire-tap channel II with a 
perfect main channel, a (n,n — k) linear code C* is chosen. 
This code has q k cosets and we can construct an arbitrary 
bijection between the set of all cosets and the set of all possible 
fc-symbol messages. For a given message S, Alice chooses 
a random vector from the corresponding coset with uniform 
probability and transmits it. 

Since the main channel is perfect and the encoding is done 
such that any given n-tuple maps to a unique message, the 
decoding across the main channel is error-free. So, we have 

H(S\Y) = H{S\X) = 

Since X is uniformly distributed in F", we have q n ~\ w \ 
possible values (balls) for X with equal likelihood given Eve's 
observation Xw- If we bin these values based on their cosets, 
the non-empty bins correspond to the possible messages with 
non-zero probability. The a-posteriori probability of a message 
is equal to the fraction of balls present in the corresponding 
bin. It can be shown that the non-empty bins will have the 



same cardinality, which means that the possible messages are 
all equally likely. 

In the following, we cast the results of [3| and Jfjl in 
terms of the above balls and bins approach and then analyse 
the conditional entropy of the secret message using DLP 
properties. This gives a slightly different interpretation of the 
problem of coset coding with erasures, which is later used 
again in the next section to analyze the performance of coset 
coding on the modified wiretap II channel with erasures on 
the main channel. 

A. Coset binning 

Let a € ¥ n be a match for X\y in the symbol positions W. 
Let c be any codeword in C* with cw — 0. Clearly, c + a 
is also a match for the observation. Let C^ w = {c : c e 
C*,cw = 0}. It can be seen that Cj^ w is a subcode of C*. 
The set a + Cj> w is the set of all possible matches for Xw in 
the coset to which a belongs. Hence, the number of balls in a 
non-empty bin is I I ■ q™ - ' 1 ^ balls distributed in such a 
fashion will result in q n ~\ w \ /\Cj^ w \ non-empty bins. Hence, 

H{S\X W ) = n - \W\ - dim(C; w ) (3) 

For complete secrecy, we must achieve (f2| or equivalently 

min{H{S\X w ) : W C I, \W\ = fj,} = k 

=>• min{n - \W\ - dim(C; vw ) : W C I, \W\ = //} = k 

=>- n — fj, — max{dim(Cj\ w ) : W C I, \ W\ — fi} = k 

n - (i— kn-^CT) = k 

Here, ki(C*) denotes the i th dimension/length profile 
(DLP) of the linear code C*. For a detailed discussion on 
DLP, see Q. 

IV. Nested Codes 

In this section, we consider the case of the modified wiretap 
II channel where Bob gets only v of the n symbols in 
Alice's transmitted codeword and Eve gets /i of the codeword 
symbols. We propose and analyze a coding scheme for this 
channel. We then show that if the codes are MDS, then the 
coding scheme achieves the secrecy capacity of this channel. 

Let C be an (n, k) code and C* be an (n, k*) code, with 
< k < n and < k* < n — k. Also assume that 
C n C* = {0} and D = C + C*. Let G and G* be the 
generator matrices of the codes C, C* respectively. Let S be 
the uniformly distributed k symbol secret message, and E be a 
uniformly distributed random vector of length k*. We transmit 
X = SG + EG* and we try to analyze the case when we 
reveal only a certain number of symbols from X. Note that 
when k* = n — k, this nested coding scheme is the same as 
the Ozarow-Wyner scheme for Wire-tap II. 

The set of valid values of X can be binned into q k distinct 
cosets of C*. Every such coset of C* maps to a distinct 
message in ¥ k . Let J C / be the index set of the revealed 
symbols. Given the observation Xj, we use the binning 
approach in the previous section to find the wire-tapper's 
equivocation. Given Xj, the number of possible solutions for 
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Fig. 3. Amount of leaked information vs. number of revealed symbols for 
the case of nested MDS codes 

X is The size of the non-empty bins is the same as 

in the previous section. We have, 

H(S\Xj) = dim(D AJ ) - dim(CV) ( 4 ) 

To satisfy the conditions in (Q]) and (f2j), we must have 

dim(L> AM ) - dim(C; w ) = VMc I, \M\ = v 
dim(Z> /w ) - dim(C; w ) = k VWcI, \W\ = fx 

A. Using nested MDS codes 

For a (n, k) maximum distance separable (MDS) code C, 
we have 

dim(C7 V7 ) = max{0, k - \ J\} (5) 

Hence, if we choose the codes D and C* to be nested MDS 
codes, we will have 

dim(£> AJ ) - dim(C AJ ) (6) 
= max{0, k + k* - \ J\} - max{0, k* ~ \ J\} (7) 




0, |J|>fc + fc* 
fc + fc*-|J|, k*<\J\<k + k* (8) 
k, 0<\J\<k* 



A sketch of the plot of the above function vs. \J\ is shown in 
fig E] for the case when k = v — fx, k* = /J,. 

Suppose there is a situation where n, /i, v are specified and 
we are free to choose the symbol alphabet F. From the analysis 
in the previous section, we can achieve the maximum possible 
secret information rate by choosing F to be a field of size not 
less than n and construct two nested Reed-Solomon codes 
D, C* of dimensions u, /i respectively. We then have, 

dim(D AM ) - dim(CV* w ) = 0, VM C I, \M\ = v 

(9) 

dim(D AW ) - dim(C; w ) = v - M , W C J, \W\ = n 

(10) 

In this case, we have a coding scheme that achieves the 
maximum possible secret information rate. Table H] illustrates 
how to choose nested MDS codes for the erasure-erasure 
wiretap channel. 



Channel parameters 


n = 255, v = 200, n = 150 


Secrecy capacity 


#k * 0.196 


Code D 


(255,200) RS code over F 256 . Generator 
polynomial g(x) = (x — a)(x — a 2 )(x — 
a 3 ) ■ ■ ■ (x - a 55 ) 


Code C* 


(255, 150) RS code over F256. Generator 
polynomial g(x) = (x — q)(x — a 2 )(x — 
a 3 ) ■ ■ ■ (x - a 105 ) 



TABLE I 

Nested MDS coding scheme example 



V. Conclusion 

In this paper, we have studied the erasure-erasure wiretap 
channel model where the numbers of erasures are fixed but the 
positions of the erasures are chosen at random. We have shown 
that a coding scheme based on nested MDS codes achieves the 
secrecy capacity of this channel. We have assumed that the 
channel model permits us to choose the finite field over which 
we draw the symbols. Analyzing the secret information rate 
of general (non-MDS) nested codes over a similar channel is 
a natural generalization of our problem. This will also lead us 
to design secure coding schemes for a much wider choice of 
channels. 
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